Data Processing Addendum

These personal information processing terms and schedules constitute Recollective’s data processing addendum (“DPA”) and are included by reference to the Software as a Service Subscription Agreement between Recollective and Customer (the “Agreement”). In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

Recollective reserves the right to update the contents of this DPA from time to time upon notice to Customer by posting a notice to its website.

The term of this DPA will follow the term of the Agreement (“Effective Date”).  Capitalized words not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1. Definitions

“California Personal Information” means Personal Information that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

"Consumer", "Business", "Sell" and "Service Provider" will have the meanings given to them in the CCPA. 

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Information in question under the Agreement, including (where applicable) without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Canada; in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom Personal Information relates.

"Deletion Date" means the date one hundred and eighty (180) days from the date administrative access to the Service ends or such longer period as may be agreed by the parties.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom. 

“European Data” means Personal Information that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of Personal Information and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); and (iii) the UK GDPR, the UK Data Protection Act 2018, the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.  

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Information (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Information” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as Personal Information, personal information or personally identifiable information under applicable Data Protection Laws.

“Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed by Recollective and/or Recollective’s Sub-Processors in connection with the provision of the Services. "Personal Information Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Personal Information Consent” means the personal information consent obtained by Customer from its Authorized Users. A sample personal information consent is available in the website administration settings on the Service and may be modified or amended by the Customer.

“Processing” means any operation or set of operations which is performed on Personal Information, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Information. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Information on behalf of the Controller.

“Sub-Processor” means any Processor engaged by Recollective to assist in fulfilling Recollective’s obligations with respect to the provision of the Services under the Agreement.  Sub-Processors may include third parties but will exclude any Recollective employee or consultant.  

"UK GDPR" has the meaning given to in in Section 3(10) of the UK Data Protection Act 2018.

2. Customer Responsibilities

2.1 Compliance with Laws. 

Within the scope of the Agreement and in its use of the services, Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Information and the Instructions it issues to Recollective.

In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Information; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Information, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring Customer has the right to transfer, or provide access to, the Personal Information to Recollective for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that Customer Instructions to Recollective regarding the Processing of Personal Information comply with applicable Laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer will inform Recollective without undue delay if Customer are not able to comply with Customer responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.

2.2 Personal Information Consent.

Customer will accurately complete, with its own particulars, the Personal Information Consent. Customer will cause every Authorized User to consent to the Personal Information Consent prior to, and as a condition of, being granted access to the Services (and in any event before Customer collects Personal Information from such Authorized User). For its part, Customer will only collect, use, disclose and retain Personal Information according to the terms of the Personal Information Consent and in no event in an unreasonable way. 

RECOLLECTIVE DOES NOT WARRANT THAT OBTAINING CONSENT FOR THE PROCESSING OF PERSONAL INFORMATION IN THE FORM PROVIDED BY THE PERSONAL INFORMATION CONSENT WILL SATISFY THE DATA PROTECTION LAWS APPLICABLE TO CUSTOMER AND/OR ITS AUTHORIZED USERS.

2.3 Controller Instructions. 

The Parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete Instructions to Recollective in relation to the Processing of Personal Information, so long as Customer may provide additional instructions during the Service Period that are consistent with the Agreement, the nature and lawful use of the Services.

2.4 Security. 

Customer is responsible for independently determining whether the data security provided under the Agreement adequately meets Customer obligations under applicable Data Protection Laws.

3. Recollective Obligations

3.1 Compliance with Instructions. 

Recollective will only Process Personal Information for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable Law. Recollective is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer industry that are not generally applicable to Recollective.

3.2 Conflict of Laws. 

If Recollective becomes aware that it cannot Process Personal Information in accordance with Customer’s Instructions due to a legal requirement under any applicable Law, Recollective will (i) promptly notify Customer of that legal requirement to the extent permitted by the applicable Law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as Customer issues new Instructions with which Recollective is able to comply. If this provision is invoked, Recollective will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing.

3.3 Security. 

Recollective will implement and maintain appropriate technical and organizational measures designed to protect Personal Information from Personal Information Breaches as described in Recollective's security policy as amended from time to time, a current copy of which is available at https://recollective.com/resources/recollective-security-privacy-overview (the "Security Policy"). Notwithstanding any provision to the contrary, Recollective may modify or update the Security Policy at Recollective’s discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Policy. 

3.4 Confidentiality. 

Recollective will ensure that any personnel whom Recollective authorizes to Process Personal Information on Recollective’s behalf are subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Information.

3.5 Personal Information Breaches. 

Recollective will notify Customer without undue delay after Recollective becomes aware of any Personal Information Breach and will provide timely information relating to the Personal Information Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Recollective will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Information Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.

3.6 Deletion of Customer Data and Personal Information. 

Recollective will securely delete all Customer Data by the Deletion Date, including Customer's Confidential Information and Personal Information Processed pursuant to this DPA, provided that, for clarity, Recollective may retain Resultant Data.

4. Data Subject Requests

The Services provide Customer with a number of controls that Customer can use to retrieve, correct, delete or restrict Personal Information which Customer can use to assist it in connection with its obligations under Data Protection Laws, including Customer’s obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). 

To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer’s written request, Recollective will provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Information under the Agreement. Customer shall reimburse Recollective for the commercially reasonable costs arising from this assistance.

If a Data Subject Request or other communication regarding the Processing of Personal Information under the Agreement is made directly to Recollective, Recollective will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Information.

5. Sub-Processors

Customer agrees that Recollective may engage Sub-Processors to Process Personal Information on its behalf. Recollective has currently appointed, as Sub-Processors, the third parties listed in Schedule B to this DPA. Recollective will notify Customer if Recollective adds or replaces any Sub-Processors listed in Schedule B at least seven (7) days prior to any such changes.

Where Recollective engages Sub-Processors, Recollective will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Information as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Recollective will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Recollective to breach any of its obligations under this DPA.

6. Data Transfers

Customer acknowledges and agrees that Recollective may access and Process Personal Information on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Information may be transferred to and Processed by Recollective in Canada, the United States, the European Union and other jurisdictions where Recollective and its Sub-Processors have operations. Wherever Personal Information is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

7. Additional Provisions for European Data

7.1 Scope. 

This 'Additional Provisions for European Data' section shall apply only with respect to European Data.

7.2 Roles of the Parties.

When Processing European Data in accordance with Customer Instructions, the parties acknowledge and agree that Customer is the Controller of European Data and Recollective is the Processor. Customer will provide Recollective with prior notice identifying the relevant Personal Information before transferring European Data to Recollective.  Details of the processing undertaken by Recollective are set out in Schedule A.

7.3 Instructions.

If Recollective believes that a Customer Instruction infringes European Data Protection Laws (where applicable), Recollective will inform Customer without delay.

7.4 Objection to New Sub-Processors. 

Recollective will give Customer the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Information within seven (7) days of notifying Customer in accordance with the ‘Sub-Processors’ section of this DPA. If Customer does notify Recollective of such an objection, the Parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Recollective will, at Recollective’s sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination)..

7.5 Data Protection Impact Assessments and Consultation with Supervisory Authorities. 

To the extent that the required information is reasonably available to Recollective, and Customer does not otherwise have access to the required information, Recollective will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

7.6 Transfer Mechanisms for Data Transfers. 

Customer acknowledges that in connection with the performance of the Services, Recollective is a recipient of European Data in Canada. The parties acknowledge that Canada has been recognized as providing adequate protection by the relevant authorities to permit the transfer of European Data without further transfer mechanisms.

7.7 Demonstration of Compliance.

Recollective will make all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and contribute to audits, including inspections conducted by Customer auditor in order to assess compliance with this DPA. Customer acknowledges and agrees that Customer will exercise its audit rights under this DPA by instructing Recollective to comply with the audit measures described in this Section. Customer acknowledges that the Services are hosted by Recollective’s hosting Sub-Processors who maintain independently validated security programs (including SOC 2 and ISO 27001) and that Recollective’s systems are regularly tested by independent third party penetration testing firms. Upon request, Recollective will supply (on a confidential basis) a summary copy of its penetration testing report(s) to Customer so that Customer can verify Recollective’s compliance with this DPA.  Further, at Customer written request, Recollective will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer necessary to confirm Recollective’s compliance with this DPA, provided that Customer will not exercise this right more than once per calendar year unless Customer has reasonable grounds to suspect non-compliance with the DPA.

8. Additional Provisions for California Personal Information

8.1 Scope. 

The 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information.

8.2 Roles of the Parties. 

When processing California Personal Information in accordance with Customer Instructions, the parties acknowledge and agree that Customer is a Business and Recollective is a Service Provider for the purposes of the CCPA. Customer will provide Recollective with prior notice identifying the relevant Personal Information before transferring California Personal Information to Recollective.

8.3 Responsibilities. 

The parties agree that Recollective will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA. 

9. General Provisions

9.1 Amendments. 

Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, Recollective reserves the right to make any updates and changes to this DPA.

9.2 Limitation of Liability. 

Each Party’s liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the Parties), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the Agreement and any reference in such section to the liability of a Party means aggregate liability of that Party (including under this DPA).  In no event shall either party's liability be limited with respect to any individual's data protection rights under this DPA or otherwise.

SCHEDULE A
DETAILS OF PROCESSING

Subject matter

Use of Recollective’s online qualitative research platform (the “Community”).

Categories of data subjects

  • End users of the Community that have been authorized to access the Community by the Customer and who for greater certainty are:
    • Customer’s administrators (who may be employees or agents of Customer); and
    • Customer’s research subjects.

Categories of personal information 

Typical:

  • Identifying (name, username, unique identifiers, etc.)
  • Authenticating (passwords, PINs, etc.)
  • Preferences / Interests (opinions, interests, dislikes, etc.)
  • Tracking (computer device, contact information, location, etc.)

Additionally, at Customer’s discretion:

  • Professional (job titles, salaries, work history, etc.)
  • Family (family structure, marriages, divorces, relationships, etc.)
  • Demographic (age ranges, physical traits, income brackets, geographic, etc.)
  • Such other research data points as may be interesting to Customer that are not sensitive.

Sensitive (ONLY TO BE TRANSERRED TO RECOLLECTIVE WITH RECOLLECTIVE’S PRIOR WRITTEN CONSENT):

  • Medical and Health (physical and mental health, disabilities, etc.)
  • Sexual (sex life, sexual orientation, etc.)
  • Race (race, ethnic origin, etc.)
  • Political (political opinions)

The frequency of processing

  • Continuous during the term of the Agreement

Nature of the processing

  • As necessary to operate the Community and achieve the Customer’s research objectives which for greater certainty means:
    • Migration, setup and hosting personal data as part of the Community;
    • Retrieval and transmission to Authorized Users, Customer and Sub-processors;
    • Encryption, anonymizing, pseudonymizing and compiling;
    • Processing as necessary to facilitate specific product features (such as video / audio recording)

Purpose of the processing

  • To fulfill Recollective’s contractual obligation to Customer for access and use of the Community. 

The period for which the personal information will be retained

  • For the duration of the Service Period, except that Recollective and its sub-processors may retain personal data as required by applicable law or in their backups, archives, and disaster recovery systems until such personal data is deleted in the ordinary course.

For transfers to sub-processors, the subject matter, nature and duration of the processing

  • Sub-processors who host the Community on their servers will store personal data integrated in the Community for the purpose of storing it and making it accessible to Recollective, Customer and end users. The duration of processing will be coextensive with Recollective’s obligation to operate the Community (subject the retention provisions above)
  • Sub-processors who deliver plug-in features (such as video / audio recording), will process personal data as necessary and only for so long as required to make such plug-in features operate correctly.
  • Sub-processors who provide technical support will access personal data only as an ancillary consequence of their access to the Community for the purpose of providing technical support services. They will have access to personal data only for the duration of their provision of technical support services.

SCHEDULE B
LIST OF SUB-PROCESSORS

Name* Address Purpose of processing
Amazon Web Services, Inc 410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A Hosting infrastructure
AssemblyAI Inc. 2261 Market St, Suite 4577, San Francisco, CA 94114 Transcription and diarization
Google LLC 1600 Amphitheatre Parkway, Mountain View, California 94043 AI features
HubSpot, Inc. Two Canal Park, Cambridge, MA 02141, USA Customer relationship management
Microsoft Corporation One Microsoft Way, Redmond, Washington 98052 USA AI features
Salesforce.com Canada Corporation 10 Bay Street, Suite 400, Toronto, ON M5J 2R8 Support ticketing
Soniox Inc. 1045 Helm Ln, Foster City, CA 94404 Transcription and diarization
Twilio Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105 Email delivery and live video meeting rooms
Zilliz, Inc. 330-201 Redwood Shores Parkway, Redwood City, CA 94065 Vector database cloud services and related application functionality
*inclusive of affiliates
©2026 Recollective Inc.
Solutions
Agencies
Brands
Education
Partners
Company
About
Careers
Contact
Pricing
Learn
Blog
Resources
Privacy Policy
Accessibility
Close Cookie Popup
Cookie Preferences
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Cookies helping us understand how this website performs, how visitors interact with the site, and whether there may be technical issues.
Cookies used to deliver advertising that is more relevant to you and your interests.
Cookies allowing the website to remember choices you make (such as your user name, language, or the region you are in).
Customize
Save
Decline All
Accept All